Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deprecate insecure WebSockets (ws) #1830

Open
marten-seemann opened this issue Oct 14, 2022 · 3 comments
Open

deprecate insecure WebSockets (ws) #1830

marten-seemann opened this issue Oct 14, 2022 · 3 comments

Comments

@marten-seemann
Copy link
Contributor

I'm wondering if we should deprecate (insecure) WebSocket support:

  • With the web having moved to ubiquitous TLS encryption, there's simply no websites left for which the browser would allow an unencrypted WebSocket connection. When a website is loaded via HTTPS, the browser will block all unencrypted WebSocket requests originating from that site.
  • Standalone nodes could in principle still use WebSocket, as they're not bound by the browser's security model. However, there's no point in dialing a WebSocket connection to begin with: It's much faster (in terms of handshake latency) to dial a libp2p TCP connection.

If I understand the issue that prompted this PR correctly, this problem wouldn't exist if we just used the SNI we use in the TLS handshake for the Host header in the WebSocket CONNECT HTTP request. We don't set the Host header currently, but that would be a much smaller fix than adding a new multiaddr component.
The values for TLS SNI and the HTTP Host Header are always identical, unless you're doing some form of domain fronting. I'd be ok with leaving that fringe use case unsupported for now.

Originally posted by @marten-seemann in #1829 (comment)
@marten-seemann
Copy link
Contributor Author

How exactly would a deprecation look like? There are two options:

  1. print a warning when listening on an insecure WebSocket address
  2. print a warning when dialing an insecure WebSocket address

(1) has the advantage that this is something that the user controls. (2) is out of the user's control, since the node will dial ws addresses, if other nodes advertise those.

@Stebalien
Copy link
Member

I'd definitely do 1, that's the simplest.

Once it has been deprecated for a while, we can remove it from the defaults. IMO, if users are using the defaults, they're opting in to using whatever we decide to provide.

Note, there is a use-case for insecure websockets: corporate firewalls with mandated MITM proxies. However, given that almost nobody listens on insecure websockets, that's probably moot.

@p-shahi
Copy link
Member

p-shahi commented Nov 8, 2022
edited
Loading

Can we start printing the deprecation warning as soon as 0.24.0? and make it explicit in the release notes that insecure WebSockets will be deprecated/removed in a future release (2 or 3 releases later.)

@p-shahi p-shahi mentioned this issue Nov 8, 2022
Closed
34 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Stebalien @marten-seemann @p-shahi